Author Archives: brvanlanen
The key lies in preparation. Here a couple of things you want to do:
First make sure you know what current programs you want to re-install.
Before you do anything else, it’s handy to have a list of all your currently installed programs so you know what settings to back up, and which programs you want to reinstall later on.
Next backup …
Back up any Windows settings you can so you don’t have to do too much tweaking after you reinstall. The best way to do this is with Windows Easy Transfer, Windows’ built-in migration program for just such occasions.
Documents and files
Just copy these to an external drive or move them with Windows Easy Transfer as described above, though if you back up your computer regularly (which you should), you can always just restore them from your backup later on as well.
Then after completing the Windows re-install it’s time for the restore process. Basically it’s the opposite of what you did during the backup process. However what you may not have known is that there are tools out there that can help make re-installs of applications quick and easy. Keep in mind though that these tools won’t have all the programs you want to re-install.
Just check off all the programs you want, and Ninite will create an all-in-one package to install them in one fell swoop.
If you’re more of a command line geek, Chocolatey is a handy utility that brings Linux-style package management to Windows. With a few well-placed commands, you can install a ton of programs at once, bypassing the need for all those separate installers.
Portable apps essentially let you carry all your programs and settings over to another computer with no installation required. You’ll still have to search out each app yourself, but after you do it once, you’ll never have to do it again—every clean install from here on out will be much quicker because you’ll already have half your apps ready to go.
Head over to the source for all the details involved with performing a clean install of Windows.
- Beginner Geek: How to Reinstall Windows on Your Computer (howtogeek.com)
- Essential Windows Apps You Probably Missed (forums.pinstack.com)
- Expert Advice on Reinstalling to a Wiped Hard Drive (pc.answers.com)
As we’ve seen in recent years, natural disasters can lead to long-term downtime for organizations. Because earthquakes, hurricanes, snow storms, or other events can put data centers and other corporate facilities out of commission for a while, it’s vital that companies have in place a comprehensive disaster recovery plan.
Disaster recovery (DR) is a subset of business continuity (BC), and like BC, it’s being influenced by some of the key trends in the IT industry, foremost among them:
- Cloud services
- Server and desktop virtualization
- The proliferation of mobile devices in the workforce
- The growing popularity of social networking as a business tool
These trends are forcing many organizations to rethink how they plan, test, and execute their DR strategies. CSO previously looked at how these trends are specifically affecting IT business continuity; as with BC, much of the impact they are having on DR is for the better. Still, IT and security executives need to consider how these developments can best be leveraged so that they improve, rather than complicate, DR efforts.
Head over to the source and see how IT disaster recovery is being impacted by each of the four.
- 33 Cloud Service Providers Join Zerto Cloud Disaster Recovery Ecosystem (sys-con.com)
- Symantec and Microsoft team for disaster-recovery service (techworld.com.au)
- Colocation’s role in Disaster Recovery & Business Continuity (cashzilla.wordpress.com)
As technology evolves with the rise of the cloud and BYOD, so does the debate on keeping corporate information secure.
Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.
But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management — a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, “who is sending which email and information to whom, when and protecting it in transit and at rest.”
Even that will not ensure protection of the email, he said. “It must also be run on a secure platform that delivers tightly controlled policy to enforce data labeling, digital message signing, encryption and checking of the actual content.”
Jeff Wilson, principal analyst for security at Infonetics, agrees that an email management platform would help, since “most people are getting email on [multiple] mobile devices that could be lost, stolen, or compromised.”
But he noted a more basic problem for many companies: “They don’t even have an accurate inventory of devices connecting to their network or a framework for building a security policy and buying appropriate security solutions.”
Since email is the primary method of information sharing, enterprises must keep it secure, “to protect intellectual property and to compete in the global business environment,” Parris said.
An interesting and fun way to teach ethical hacking.
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”
“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.
Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.
In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.
Look for it on store shelves later this year.
- Control-Alt-Hack: Can You Teach Hacking with a Card Game? (tomshardware.com)
- Card Game Turns You Into a White Hat Hacker (pcworld.com)
- Old-school card game delves into the dark world of computer security breaches (geekwire.com)
A tool for testing if Web application firewalls (WAFs) are vulnerable to around 150 protocol-level evasion techniques was released at the Black Hat USA 2012 security conference on Wednesday.
The tool and the research that went into its creation are the work of Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall.
Web application firewalls are designed to protect Web applications from known attacks, such as SQL injection attacks, that are commonly used to compromise websites. They do this by intercepting requests sent by clients and enforcing strict rules about their formatting and payload.
However, there are various methods for sneaking malicious requests that violate these rules past WAFs by modifying certain parts of their headers or the paths of requested URLs. These are known as protocol-level evasion techniques, and WAFs are not properly equipped to deal with them at the moment because the techniques are not very well documented, Ristic said.
The researcher tested the evasion techniques he found primarily against ModSecurity, an open source Web application firewall, but it’s reasonable to assume that other WAFs are vulnerable to some of them as well.
In fact, Ristic said he shared a few of the techniques with others during the research stage and that they had tested them successfully against some commercial WAF products.
Erwin Huber Dohner, head of research and development at Switzerland-based WAF vendor Ergon Informatik, confirmed after seeing Ristic’s presentation that the evasion methods are a problem for the industry.
The question is will this public release of research kick-start a discussion as Mr. Ristic hopes?
- Vulnerabilities in open source WAF ModSecurity (net-security.org)
- Protocol-Level Evasion of Web Application Firewalls (community.qualys.com)
- Web Application Firewalls and the False Sense of Security They can Create (acunetix.com)
The dark art of iOS app hacking presented at Black Hat.
There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.
“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.
He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.
All due to a double-edged sword.
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)
Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.
A great illustration of how developers need to understand the need for security trumps all.
- 19% Of iOS Apps Access Your Address Book Without Your Permission… Until iOS 6 [Report] (cultofmac.com)
- Apple investigating iOS in-app purchase hack (zdnet.com)
Another day, another set of cracking tools.
Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.
Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP
- Stronger password hashing in .NET with Microsoft’s universal providers (troyhunt.com)
- Wireless Internet Security (techhelpertoday.wordpress.com)
Do you backup your data on a regular basis?
A new survey from a leading online backup provider found that PC and Mac users are backing up sensitive files and documents more regularly than they have in the past. Approximately 10 percent of computer users now back up their systems daily, compared to only 6 percent in 2011.
“These are the best results we’ve seen since we started tracking data backup five years ago,” online backup expert Gleb Budman said.
While not everyone backs up his or her computer on a daily basis, many people are doing so more frequently than in the past. The study noted that approximately 20 percent of computer users back up sensitive documents and applications roughly once a week, compared to only 14 percent in 2011 and 2 percent in 2008. Another 36 percent of survey respondents said they duplicate sensitive files roughly once a month, compared to only 26 percent who did so in 2008.
“It’s great to see that the desire to protect photos, videos, music and other data is becoming an everyday part of using a computer,” Budman said.
The survey also revealed, however, that roughly 29 percent of U.S. computer users have never used online backup tools to bolster data protection and minimize the chances of unnecessary data loss. The study noted that this trend varies between age groups, as roughly 35 percent of individuals older than 55 never use remote backup, while only 24 percent of 18- to 34-year-olds neglect to duplicate sensitive documents.
If you are backing up your data, what tool(s) do you use?
- 5 Little-Known Factors To Consider When Choosing An Online Backup Service (techattitude.com)
- How I Became a Believer in Online Backups (lockergnome.com)
- 10% of computer users only backup their data regularly putting 90% of all computer users’ still risk data loss. (stellarphoenixs.wordpress.com)
Symform, a revolutionary cloud storage and backup service, today announced enhancements to its Cloud Storage Network that improve the performance, security and international capabilities of Symform’s innovative peer-to-peer backup model. The new version accelerates data upload times for large data sets, offers more options for privacy control and supports long file path names and international characters. These features are in direct response to the global adoption of Symform’s Cloud Network by small and medium businesses in 150 countries and the continued explosive growth of digital data needing to be protected and stored.”At Symform, we are constantly searching for new and better ways to serve our fast-growing global customer base by offering a solution that is widely accessible and more affordable than costly, traditional cloud storage models,” said Praerit Garg, president and co-founder of Symform. “We take pride in offering the industry’s first decentralized cloud back-up and storage solution, and are continuing to innovate and perfect that model with each new release.”In a recent Symform survey, respondents overwhelmingly cited the cost of cloud storage as a top concern, particularly among resource-strapped small and mid-sized businesses SMBs. Symform offers a dramatic alternative to traditional ‘data center-reliant’ cloud storage models, using a peer-to-peer network of contributors and consumers that keeps costs to a minimum while ensuring the highest levels of security and reliability.
One of the keys with technology is to improve and enhance while remaining secure and reliable. It looks as if Symform is doing that while also keeping their service cost-effective. Check the source to see what innovations came with the latest release.
- We Need More Peer-to-Peer Shared Cloud Infrastructure (sys-con.com)
Some great advice and tips to follow when connecting your computer via Wi-Fi.
It’s a good idea to connect to public networks that require passwords when possible, as they tend to be more secure. Many public networks have a legal disclaimer stating network use and security. It pays to read these before connecting.
Turn Wi-Fi off We don’t mean you should turn your Wi-Fi off permanently, rather, when you’re not using your device, or are connected to another network, e.g., mobile data, turn your Wi-Fi connection off. If you have Wi-Fi on while connected to another network, your device can and will actively search for networks to connect to and often connect to an unsecure network, unintentionally exposing your information.
Use HTTPS when possible HTTPS stands for Hypertext Transfer Protocol with Secure Sockets Layer SSL. In layman’s terms this is a website that has been built with security of user’s data in mind. Many popular websites have a HTTPS version that can be accessed by typing in https://www.sitename.com. Using HTTPS makes websites a lot harder to hack, and it’s a good idea to get into the habit of using them when on a public network or connected to Wi-Fi outside of the office.
Use data not public hotspots Hotspots are public Wi-Fi connections usually provided by a company e.g., many coffee shops have Wi-Fi, this is a hotspot. These can be unsafe, so it’s much better to invest in a data connection for your device, or a mobile Internet stick, which are considerably safer as the data is encrypted before it’s transferred from the cell tower to your device.
Use a VPN A Virtual Private Network – VPN – connects multiple computers in different locations to the same network via the Internet. Many companies use this to connect and share data with satellite offices, as the data is encrypted and secure. The main benefit to VPNs is that you can connect to a public Wi-Fi network, and transfer data securely using the network’s bandwidth. Many businesses use some form of VPN, which makes it easy for you to keep your business data secure while out of the office.
There are also VPNs that allow you to securely access the Internet via a public Wi-Fi connection, while encrypting all data sent and making your computer anonymous.
The key is to make it as difficult as possible for someone to hack into your computer.